While the Bitwarden apps are not as "pretty" as 1Password's I find them a little simpler to use. Obviously UI design is highly subjective though so your thoughts may be very different :)
Anyway yes I highly recommend Bitwarden. Kyle and the team have built and continue to run a top class product that costs 1/3 the price of 1Password.
Edit: To clarify I use Bitwarden solely for personal use. I cannot fairly compare Bitwarden and 1Password for multiuser/shared vault use.
For the longest time bitwarden has been broken in the firefox's private browsing after mozilla deprecated some apis due to security concerns. They've given alternatives but they are just refusing to fix it, to the point of basically saying mozilla needs to fix the issue. What's sad is a similar mechanism is used in their chrome extension. Someone even raised a working PR that the CTO wasn't fully happy with, and asked for changes (which is fair), but the PR hasn't moved since, so I'd have expected the Bitwarden employees to take it and fix it up.
It's absolutely ridiculous to still not have this fixed years later.
By contrast, I was a 1Password customer at the time this change got introduced, and they'd pushed out a fix not long after.
I will be trying to Linux client, and if it's good enough, I'm certainly switch away.
I switched to 1Password from KeePass after 5 or so years because I just got tired of maintaining the data locally and keeping it in sync on my devices that I need the passwords on. I just backup the 1Password database locally now to calm some paranoia.
```
The Bitwarden browser extension does not completely function in Firefox’s private browsing mode. This is a known issue specific only to Firefox. You will see a message indicating so when you try to open the Bitwarden popup window in a private window. We have discussed the problem with Mozilla, however, they seem unable to fix it so that extensions like Bitwarden can function entirely in private mode. ```
https://bitwarden.com/help/article/extension-wont-load-in-pr...
Right Click on the field > Bitwarden > Autofill
1password used to have a peer to peer sync mode that I loved. No need for a server anywhere. You would open it on your Mac and then open it on your phone and if they were on the same network they would self discover. Too inconvenient, perhaps, for most users, but for the paranoid like me, it was ideal -- no servers involved at all.
(Technically, wifi sync I believe still exists IF you use 1password on Mac with a old style local vault, but it's basically unsupported. Mine just stopped working and I switched to 1password.com.)
In principle, you could store your Bitwarden database on a public torrent at no risk to your security :)
So, if you do trust the Bitwarden software in the first place, self-hosting it shouldn't be any more dangerous than using the managed service, because the server security isn't really a critical part of the defence model. And self-hosting allows you to build from source, if you're inclined to paranoia (Even though the worst a malicious server could do is delete your database).
That said, I have still bothered to set up strict fail2ban rules on my BW instance, because why not.
It also doesn't have to be exposed to the internet. You can have it accessible behind wireguard for instance.
I have it, a DNS server, cloud storage, etc on my home lan, and use wireguard to access it on the go.
Personally, I'd trust one of my servers far more than a client shouting "yo someone send me a file to overwrite my db with" over multicast on the local starbucks wifi...
I have the exact opposite feeling. I would not selfhost email but I would selfhost a password manager and my files behind WireGuard, like many have said.
I have almost moved from cloud hosting to home server. This perfectly reasonable for non critical services that don’t require more than 90% availability. The simplicity of such a setup nowadays is a breeze of fresh air. Debian stable, WireGuard, syncthing, ssh, git, ... all are low maintenance and works fine with Linux and iOS clients.
If you mean they may have a vulnerability, they've gone through a few security audits.
If you mean you can't adequately keep your own server secure, then pass it.
Use bitwarden-rs if you're planning on self-hosting.
bitwarden_rs on the other hand, works just fine, never had an issue with it or incompatibility with the browser extensions or mobile apps.
I see some of the newer premium features, particularly around SSO are under a noncommercial visible source license of their own devising though
I mention this because my work uses 1PW and I don't like it at all. Not the browser extension. Not the desktop app.
Bitwarden is well worth checking out.
is a very worthwhile password manager. I like the UI.
You can pay a corporation to buy a product with more features or better service. But you can't pay a corporation to hold or maintain a principle. There will always be someone who can offer them more money to hold the opposing principle. Principled people who work for a corporation eventually leave and are replaced with apethetic or differently principled people.
In this case, the principle is the privacy and security of the credentials in your keyring. How much money do you think a bad actor would be willing to pay for these? How much money do you think a bad actor would be able to pay to a corporation that secures credentials for a huge number of users, and who can push arbitrary updates without pesky source code validation getting in the way? You and I don't have enough money to win this game.
Look at another high value target for comparison -- browser extensions that have a large installed userbase. Browser extensions are frequently bought for tens to hundreds of thousands of dollars by ad/tracking/malware vendors in order to quietly replace the extension with one that does their bidding, without the users' knowledge.
What's the solution to this problem? Open-source, inspectable, verifyable software that is maintained by a person or a community that shares your principles. I trust the work of Jason Donenfeld (pass, wireguard) and Raymond Hill (uBlock Origin) more than the work of any corporation selling a similar product at any price.
The incentive structure of corporations in general precludes them from being given the level of trust required for certain products.
Free software can still be paid software.
"Free Software" has a specific (and different meaning) than Open source.
https://www.gnu.org/philosophy/free-sw.en.html
I think this is what OP meant not wanting their software to be available at no cost.
Also a 1password user. Can't deny it's a wonderful product.
It means the gp considers the problem space sensitive enough that the source should be available for inspection and modification.
I even have a Bitwarden account and have some passwords stored on it.
I also considered "offline" managers like KeepassXC, but synchronization gets way worse, and there's also the issue about trusting someone else with your mobile apps.
I will probably end up convincing myself and keep using Bitwarden more at some point, but I will also probably do some kind of password peppering/salting along with it.
Am I really the only one here?
I'm using KeePassXC. Originally between three computers (Debian desktop, Debian laptop, and Microsoft laptop) where it was part of my git repo that I'd sync in between the machines as needed (git repo hosted within my own instance of gitolite, btw).
I've migrated more functionality into Syncthing - so now it's very rare that I ever need to do a manual merge within KeePassXC (which was always a robust operation anyway). KeePassXC has a setting to reload from disk if it sees that the password db file has changed, which makes this process seamless.
Part of my Syncthing setup is that I have a receive-only copy of my various repos on a Debian VM that runs a couple of archive tools (dirvish and borg) which provides for point-in-time restorations if needed.
So - I'm wondering what synchronisation problems you've had, and what you've tried. And what alternatives there are to trusting someone else's OS (replete with non-free components) on mobile, along with someone else's bundling of code into mobile packages?
There's a handful of keepass-compatible android apps, some of which are GPL, and Syncthing can keep a copy on Android easily enough, but ultimately there's a lot of trust in mobile land no matter how you slice it.
Mobile OSes are finally making it easier for arbitrary "file" sharing between such apps. (The iOS Files app is finally "decent" for this compared to just a few years ago.)
A similar file sync option to Syncthing I like to point out is Resilio Sync, a P2P device-to-device "torrent-like" sync tool. Among other things it also supports "encrypted shares" that cannot read inside the share but can still participate as a "seed" in the torrent-like share. Resilio Sync is relatively a lot more closed/commercial than Syncthing, but it's torrent-based underpinnings make it sometimes much faster with large shares. (As with everything, trade-offs to be made based on your personal threat model.)
It also has yubikey support or can support other key files, which is good if you don't trust your cloud sync for example
Also, not all hopes are lost. There is a 3-year-old ticket to add trigger system to KeePassXC: https://github.com/keepassxreboot/keepassxc/issues/1016
Password managers make security tradeoffs, providing a nice balance of convenience and defense against many of the most important attack vectors.
So while it of course possible to come up with basically endless possible attack vectors for password managers (and indeed all software), it is most likely not a productive exercise.
Also, a small tangent, but if someone compromises the play store and is able to install malicious software on your phone, there are plenty of ways for tmem to get your password that don't involve password managers.
I'd go so far as saying -- most people who think they have the discipline and skill, don't. Or rather, maybe they have it maybe for a few passwords (email, online banking, work, machine passwords).
But it's almost impossible to do well once you cross ~20 passwords. Remember trying out Goodreads years ago? Well, turns out someone's hacked into your account and is posting reviews critiquing travel books for not buying into Flat Earth Theory. You only notice when searching for your name on Google. Or even nastier scenarios.
I use KeePassXC with a password and key file. I sync the database, but not the file, using Syncthing. On the whole a satisfied customer, although the browser integration isn't perfect.
if i sound like an idiot, id love to hear why btw! heh
- Email provider's (it's not Google)
- Domain registrar's
- 3 of my main bank account passwords
- Password of my password manager and KeePass db
- Cryptomator volume's password (I keep that Volume in Dropbox)
- Password of my laptop and phone (both 12-20 char long alphanumeric ones)
- PIN of my 2FA app
(I keep practising entering these passwords on my phone/laptop regularly)
Everything else are randomly generated strings by BitWarden and saved there.
Sometimes I have some hints that only I can make sense of and save it in KeepPass database.
As the joke tells, I don't have to beat the chasing bear behind me, I only need to be faster than the guy running alongside me.
My secrets are stored in plain text files which are encrypted with GnuPG. Emacs (and vi too) can handle encrypted files easily, even on an Android device using the Termux (i.e. Debian) app. Syncing with rsync (even version control software is an option) works and with a bit discipline is not a major problem.
After trying out 1Password, Dashlane, etc. I returned to LastPass - contrary to most of the reviews I found online, LastPass works much more smoothly with most sites and apps. The integration with iOS is much nicer. I found the gap between LastPass and everything else was sufficiently large that it was a no brainer to switch back.
I’m still occasionally frustrated with LastPass, but having seen what the alternatives are I won’t be revisiting them for a good few years.
Electron apps are not true Linux apps, maybe for ChromeOS they can be considered as such.
Disappointing, 1Password!
Want to do a native Linux app with Web stack? Easy, do it like in the old days, start a daemon and use the local browser.
Naturally this makes it harder, because now they would need to worry about Web standards instead of ChromeOS APIs.
A better alternative in my opinion would be Bitwarden.
https://apps.apple.com/us/app/strongbox-password-safe/id8972...
It was that plus experiencing a lot of bugginess in their apps that got me to switch to 1Password. It's been a huge improvement.
I'd be curious is someone could explain why it would be worth the effort to transition from LastPass to some other provider.
https://support.1password.com/cs/migrate-standalone/
(note the text near the end regarding licensing)
The 1Password macOS and Windows clients can be bought stand-alone, but their newer clients (such as the command-line client, for some reason) are subscription-only. It's confusing, and it looks like this Linux client is also subscription-only.
EDIT: I was wrong about 1Password 7 for Windows and macOS, see further replies.
This topic inevitably comes up on every HN 1Password thread.
The GPG keys are externally held.
Yes you can. Some YubiKeys support NFC (not sure if that works on iOS though), but also you can use USB-A <-> USB-C converter, USB-A <-> microUSB converter, or just a USB-C or lightning YubiKey, or convert to lightning I guess.
Maybe 1password offers UI to organizations. But for individuals and small groups, it seems to offer fees and less provable security.
Bitwarden_rs can achieve the same.
However, this has been _years_, 8 or 9 by my quick check on the App Store.
First there was the "agilekeychain" and the python libraries (blimey) to read from it, so I could kinda do my thing on linux, but then it was deprecated and they spent 18months trying to create a CLI variant that on arrival basically never worked.
Then they pushed a subscription model which was rather expensive for the functionality too, and after paying for new versions a few times I felt a bit annoyed, and I still could not access my passwords from Linux anyway..
Then they pushed really hard for their own hosted sync (for new vaults at the very least); And without dropbox I couldn't even sync to linux. I'm not sure if they went back on that.
Eitherway, the problem is not that it isn't open source per-say.
The problem is that it's an incredibly closed ecosystem as it exists today, and an expensive one- maybe you're better off looking at equivalently featured, free, and more open options... of which there are many.
Hearing about people using 1password, etc, I get an uncomfortable smug feeling, similar to when i hear that someone is coding on notepad.exe :(
None of these saas companies ever price single user licenses below $5, even though $1 or $2 would be much more reasonable.
1pw can count the average users bandwidth in kilobytes per month. And while the software is refined, it’s about 1/1000th the complexity and infrastructure of Netflix or Spotify.
If it was something unimportant, like a game, ok. But a password manager? The key to all your digital life and secrets...
And in addition from an American company that will upload your (encrypted) passwords to a cloud in US?
And in addition, I find it deceptive that they try to confuse the potential users by pretending to be somehow involved or concerned by open source.
See this exchange for example:
https://www.reddit.com/r/privacy/comments/7l75d5/comment/drm...
<<We're not open-source, but we do act like it!>> Wtf?
Please don't overstate the intelligence required to use linux. It's not that high.
> ...and still use a proprietary closed source "password manager" on it.
People run plenty of proprietary closed source software on linux. This can include password managers, because perhaps they prefer it. Also a password manager of all things is something most people will need to use cross platform, not solely on linux.
> If it was something unimportant, like a game, ok. But a password manager? The key to all your digital life and secrets...
Games being another proprietary closed source application people run on linux. Games still present meaningful risks to your computing and privacy.
> And in addition from an American company that will upload your (encrypted) passwords to a cloud in US?
AgileBits is a Canadian company.
> And in addition, I find it deceptive that they try to confuse the potential users by pretending to be somehow involved or concerned by open source.
A company can be involved and concerned with regards to open source without releasing a product that is open source. Microsoft releases and contributes to a lot of open source software but Windows and Office are both closed source.
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.
And speaking as someone that operates a website accepting passwords, this happens more than you'd think. There are hackers that actively try leaked lists of username / passwords against websites using botnets. If your password is leaked by one website, people will attempt to reuse it on other websites.
The secret key can be kept save, because it is only required once for each device, when you log in the first time.
...oh wait, that's literally a password manager. Sometimes opinions are unpopular for good reasons.
This can be something like password store, or keepass, where the attacker needs both your password database unlock key / gpg passphrase, but also needs access to the database / gpg keys, which means either physical access, or at least access to your local files.
I think there is some merit to pointing this out. If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.
I use password-store, and I could tell you my gpg passphrase right now, but you still couldn't access any of my passwords. You'd need to get access to my yubikey and my psasword repository before you could do anything with that passphrase at all.
I think it's true that a setup like mine, which requires a physical hardware token to decrypt my passwords, is more secure than a password service, however I also think the parent comment is totally wrong. 1password without a hw token isn't the most secure option, but it's way better than password reuse on random sites.
Master password alone won't unlock the rest of passwords.
Your phone company will believe any random person to be you.
Not all factors are secure.
Edit: I checked: neither the macOS nor Windows version uses it. So it's not even that they think Electron is acceptable for high-quality desktop apps. They just don't consider Linux important enough to make a high-quality app for it.
